Cross-Site Scripting (XSS) via Unencoded User Input
Description
The application is vulnerable to Cross-Site Scripting (XSS) attacks due to unencoded user input being displayed. This can lead to malicious scripts being executed on the client-side, potentially resulting in unauthorized access, data theft, or other security breaches.
Examples
Insecure Code
c#
Response.Write(Request.QueryString["name"]);Secure Code
c#
Response.Write(System.Text.Encodings.Web.HtmlEncoder.Default.Encode(Request.QueryString["name"]));Remediation
Use built-in framework capabilities for automatically encoding user input, such as System.Text.Encodings.Web encoders (HtmlEncoder, JavaScriptEncoder, UrlEncoder), depending on the output context.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0459 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, Cross-Site Scripting, User Input Validation |
| OWASP | A1:2017-Injection, A03:2021-Injection |